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Abstract 

NASA's Constellation program has selected the 
closed cycle hydrogen oxygen Polymer Electrolyte 
Membrane (PEM) Regenerative Fuel Cell (RFC) as its 
baseline solar energy storage system for the lunar 
outpost and manned rover vehicles. Since the outpost 
and manned rovers are "human-rated", these energy 
storage systems will have to be of proven reliability 
exceeding 99 percent over the length of the mission. 
Because of the low (TRL=5) development state of the 
closed cycle hydrogen oxygen PEM RFC at present, and 
because there is no equivalent technology base in the 
commercial sector from which to draw or infer reliability 
information from, NASA will have to spend significant 
resources developing this technology from TRL 5 to TRL 
9, and will have to embark upon an ambitious reliability 
development program to make this technology ready for 
a manned mission. Because NASA would be the first 
user of this new technology, NASA will likely have to 
bear all the costs associated with its development. 

When well-known reliability estimation techniques are 
applied to the hydrogen oxygen RFC to determine the 
amount of testing that will be required to assure RFC 
unit reliability over life of the mission, the analysis 
indicates the reliability testing phase by itself will take at 
least 2 yr, and could take up to 6 yr depending on the 
number of QA units that are built and tested and the 
individual unit reliability that is desired. The cost and 
schedule impacts of reliability development need to be 
considered in NASA's Exploration Technology 
Development Program (ETDP) plans, since life cycle 
testing to build meaningful reliability data is the only way 
to assure "return to the moon, this time to stay, then on 
to Mars" mission success. 

Discussion 

NASA's Constellation Program calls for establishment 
of a permanently manned lunar outpost on the moon by 
2024. In the current mission scenario (Ref. 1), there is a 
habitat and eight lander modules (four solar array and 
four energy storage modules) that provide electrical 
power to the outpost. The outpost will be powered by 
photovoltaic (PV) arrays when there is sunlight, and by 
energy storage units when the base is shaded or there 


is no sunlight; each energy storage unit having been 
recharged by its PV array when there was sunlight (see 
Fig. 1). Under this mission scenario (Shackleton Crater 
location) an energy storage unit is expected to have a 
5 yr calendar life (will operate 1000 hr per year for a 
5000 hr operating life) with no replacement, repair or 
maintenance allowed. If a more equatorial mission 
location is chosen, a 10,000 hr operating life is required 
(Ref. 2). 

Since viability of the outpost, and the astronaut's 
survival, depend on the constant availability of electric 
power, the PV arrays and energy storage units deployed 
on the Moon will have to be very reliable. While the 
reliability requirement has not been fully articulated, it is 
reasonable to expect that, for a high visibility, publicly 
financed endeavor such as a moon base where human 
lives are at stake, the reliability of electrical power 
delivery will have to be in the multiple nine digits range 
(i.e., exceeding 99 percent). 

Some of this reliability will be achieved by 
interconnecting the PV array/energy storage units 
together in such a way that, if one unit fails, the 
remaining units will pick up the load (refer to Table 1). 
The rest will depend on the inherent reliability of the 
individual units themselves; that is, the probability that 
an individual unit will not fail (i.e., will continue to deliver 
power as required) during the length of its mission. 

PV arrays have inherently high reliability since they 
are made up of redundant solar cell strings connected in 
parallel. For PV arrays the individual unit reliabilities are 
well established due to this technology's widespread 
application in satellites and spacecraft. However, that is 
not the case with the energy storage technology which 
was chosen. For lunar surface mission, the launch and 
transportation costs dominate; therefore the 
Constellation program has baselined the hydrogen 
oxygen RFC for its energy storage because it appears to 
be lowest mass of all the options considered (except for 
nuclear power). Although the hydrogen oxygen RFC is a 
largely undeveloped technology, the watt-hr per kilogram 
that could be delivered from an RFC unit versus other 
alternatives (1100 W-hr/kg for the RFC versus 200 W- 
hr/kg for a secondary battery) appear so much better 
that the technical risk (including its vulnerability to single 
point failures) is acceptable in view of the launch cost 
saving it affords (Ref. 2). 
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TABLE 1.— INTERCONNECTED PV ARRAY/ENERGY STORAGE UNITS 
[Reliability of four Interconnected units.' 


Survival probability 






One individual unit (25 percent capacity) 

0.800 

0.900 

0.950 

0.990 

0.995 

4 out of 4 units (100 percent capacity) 

0.410 

0.656 

0.814 

0.961 

0.980 

At least 3 out of 4 units (75 percent capacity) 

0.819 

0.948 

0.986 

0.999 

0.9998 

At least 2 out of 4 units (50 percent capacity) 

0.973 

0.996 

0.999 

0.99999 

~1 

At least 1 out of 4 units (25 percent capacity) 

0.998 

0.9999 

0.99999 

~1 

~1 



Figure 1 . — PV array and energy storage unit on lunar surface. 


Accordingly NASA has a project to develop the 
hydrogen oxygen RFC for its eventual lunar base. A 
major component of that project is developing the 
enabling technology to reduce technical risk, with intent 
to: (a) demonstrate operational feasibility for the lunar 
environment and (b) characterize life and reliability 
against the mission requirements. 

It won't be easy establishing life and reliability of the 
hydrogen oxygen RFC. There is no existing fleet of units 
in service to draw failure data from. The few hydrogen 
oxygen RFCs which have been operated so far are not 
considered representative of units which might be 
deployed on the moon, and NASA’s development plans 
do not have a "fully representative" prototype appearing 
until 2016 (the due date for a TRL6 prototype ). While 
there is a small population of terrestrial (hydrogen-air) 
RFCs operating sufficient to develop a failure database, 
their character is different enough from the hydrogen 
oxygen RFC to render invalid any correlations from the 
terrestrial unit's service history. 

This presents a dilemma for mission planners. For 
other energy storage technologies (i.e., batteries) there 
are numerous examples of similar units serving in 
terrestrial applications, where there are populations 
large enough to empirically assess life and reliability. 


and infer similar life and reliability to the lunar base 
application. With the hydrogen oxygen RFC there is no 
terrestrial equivalent. 

NASA cannot stake mission success on an untried 
technology. If the hydrogen oxygen RFC Is to be 
deployed on the moon, it will have to undergo a reliability 
development program extensive enough to assure that 
an individual unit's operating life and reliability will meet 
or exceed the requirements. Lacking the experience 
base from a related terrestrial application, NASA will find 
it necessary to build, and life test, a representative 
number of Identical RFC units. In order to positively 
establish life and reliability. 

A "representative number" involves a production run 
of several Identical RFC units (each unit is identical in 
design and construction to its sibling, built at the same 
location from the same manufacturing process) whose 
hardware design is as fully representative of the mission 
unit as possible. Life Test means each unit is operated 
under conditions as representative of the mission 
environment as possible; the same test regime is 
applied to all the units, and the test conditions must be 
applied for a duration that significantly exceeds the 
target operating lifetime. 

This means setting up a production line, and a well- 
documented production process, to build the units. It 
also means life testing the individual units to failure, or at 
least a duration that significantly exceeds the target 
operating lifetime. Units which fail prematurely can be 
removed from test and examined for failure modes; as 
systemic failure modes are discovered in the hardware, 
incremental Improvements can be made via changes to 
its design, and to the production process. The cycle of 
improvement, remanufacture and retest is repeated until 
eventually only wearout and random failures are 
occurring; at this point the hardware design and 
manufacturing process is "frozen" and a production run 
of identical quality assurance (QA) units can be built and 
put on test. 

It is the life data from the QA units which positively 
establishes reliability. Mathematically, we can consider 
each unit's operating life as a random variable, and the 
operating life of all Identical RFC units (each unit is 
identical In design and construction to its sibling, built at 
the same location from the same manufacturing 
process) as a population. To establish the life and 
reliability of the larger population (i.e., any and all RFC 
units built to that design and by the same process), we 
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test a finite number of units — a sample — from that 
population and continue the test until there are a 
significant number of failures. The life test data, or more 
succinctly, the sample mean and sample variance 
obtained from that data, allow us to positively establish, 
within a predetermined level of confidence, the operating 
lifetime for the entire population by means of statistical 
analysis utilizing the T-distribution (Ref. 3). We do this 
by calculating a Confidence Interval about the sample 
mean, which is a function of the sample variance, the 
number of data points in the sample, and the level of 
confidence desired. 

Refer to the example T-distribution probability density 
function (sample size = 4, = 3 degrees of freedom) 
shown in Figure 2. The confidence interval indicates a 
known percentage of the larger population which will 


always lie within designated Confidence Limits 
extending from either side of the sample mean. 
Considering a set of n life test data points taken from n 
identical units that were tested to failure, each data point 
is the elapsed time to failure for that unit: 

The sample size is n 

- 1 ” 

The sample mean is: T = — V r 

n 

7=1 


I I — 

and the sample variance: 8^ = -T 

” 7=1 

and the sample deviation: 5 = . 



0 5000 10000 15000 20000 


Life in hours 

Figure 2. — Probability density function. 
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The sample mean would equate to the Mean Time To 
Failure for that sample of n units tested, the sample 
deviation would indicate the expected deviation of 
individual data points from the mean, and the Con-fidence 
Interval about the sample mean would indicate the time 
interval where a known percentage of the larger 
population of unit failures (based on data from the sample) 
must lie. For example, the two-sided 0.995 confidence 
interval shown in Figure 2 depicts the range of elapsed 
time where 99.5 percent of all failures are expected to 
occur, the 0.975 interval depicts where 
97.5 percent of the failures will occur, the 0.95 interval 
shows where 95 percent of all the failures will occur and 
so on. The upper and lower bounds of the confidence 
interval are referred to as Confidence Limits which extend 
from either side of the sample mean. The amount they 
extend (i.e., width of the confidence interval) can be 
expressed as a multiple of the sample deviation 5. The 
numerical value of that multiple depends on: (a) the 
confidence level required, and (b) the number of data 
points in the sample, according to the T-distribution. The 
density function of Figure 2 is for a sample size n of four 
data points, or a T-distribution with 3 degrees of freedom. 

The confidence interval can be used to estimate the 
larger population's reliability (i.e., probability of no 
failure) since the range of elapsed time values from zero 
to the Lower Confidence Limit happens to be the range 
where: a.) failures have not yet taken place, and b.) the 
known percentage of failures associated with that 
confidence interval «cannot» occur. Since we are only 
interested in this lower range (where failures may begin 
to occur), the probability of no failure during this time 
period (from zero to the lower confidence limit) actually 
corresponds to a "one-sided confidence limit" whose 
level of confidence is related to that of the two-sided 
interval by the relation: 

^ side ~ ^ side ) 

Thus a "one-sided 0.95 confidence limit" (associated 
with 95 percent reliability) corresponds to a two-sided 
0.975 confidence interval, a "one-sided 0.99 confidence 
limit" (associated with 99 percent reliability) corresponds 
to a two-sided 0.995 confidence interval, and so on. The 
example depicted in Figure 2 represents four units 
tested to failure, with the elapsed time to failure in hours. 
In this fictitious case, the sample mean exceeded 10000 
hr by a considerable amount but, due to the limited 
number of data points and a sample deviation of only 12 
percent, the 99 percent reliability level is considerably 
less than 10000 hr. If 10000 hr were a benchmark, we 
could say the data demonstrates 10000 hr with a 
reliability of about 95 percent. 

We can also use the T-distribution to determine how 
long a unit must be tested and how many life tests (data 


points in the sample) are required to positively establish 
life and reliability of the units. For a given life and 
reliability requirement, it is the sample mean and 
variance (deviation from the mean) of the test data that 
will determine (a) whether or not the requirement can be 
met, and (b) how many life tests (data points in the 
sample) are required, and (c) how long each unit must 
be tested. This is of practical importance since the 
minimum acceptable unit life and reliability are 
specifications normally imposed on the unit's developer 
by a customer. The number of QA units that must be 
built and tested, together with the length of time each 
unit must be tested in order to demonstrate the specified 
life and reliability, directly impacts the developer's costs. 

Table 2 displays the relevant parameters for a 
reliability estimate based on the T-distribution (using T- 
distribution function values from tables in Reference 4). 
Six examples are shown, corresponding to desired 
reliability levels of 90, 95 and 99 percent, and data 
deviations from the mean of 20 percent and 40 percent. 
The data show that when sample size n is small (few 
trials) the width of the confidence interval can be quite 
large, especially when there is appreciable deviation 
from the mean. For example, a developer who wants to 
demonstrate 95 percent reliability using only four life 
tests will face a "deviation multiplier" of 1 .6. In the event 
the four trials produced +40 percent deviation from the 
sample mean, the 95 percent confidence limits about 
that mean (normalized to 1) would be 0.36 and 1.68, 
respectively. If those four trials deviated only 20 percent 
about the sample mean, however, the 95 percent 
confidence limits about the mean would narrow to 0.68 
and 1 .32, respectively. Increasing the sample size n also 
narrows the confidence limits. If the number of life tests 
were doubled from four trials to eight, the 1 .6 "deviation 
multiplier" would be reduced to 0.84. Then, eight trials 
showing a deviation of 40 percent would narrow the 
95 percent confidence limits to 0.67 and 1.33, 
respectively, and 20 percent deviation brings them in to 
0.83 and 1.17, respectively. 

To be assured of high reliability the confidence 
interval about the mean must be narrow enough to 
afford some operating time at low failure probability. In 
cases where variances (deviations) are too great and 
there are not enough trials in the sample (inadequate 
sample size n), the confidence interval can be so wide 
that it overlaps the entire time period (no confidence). If 
the variance is small it is possible to demonstrate 
reliability with only a few trials. 

Table 3 recasts the six examples shown in Table 2 
and normalizes them to the lower confidence limit not 
the sample mean. Here it is possible to see the 
implications on the amount of time each unit will have to 
remain under test (assuming no premature failures) 
based on the reliability level, the data deviation(s) and 
the number of units tested (sample size n). 
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TABLE 2.— RELIABILITY ESTIMATES BASED ON THE T-DISTRIBUTION 
[Confidence limits from the T-dlstrlbution, normalized to the sample mean.] 


I Case 1 A — 90 percent reliability requirement 

, 40 percent deviation 




Sample size, n (no. of data points) 

4 

5 

6 

7 

8 

10 

20 

Degrees of freedom, n-^ 

3 

4 

5 

6 

7 

9 

19 

Confidence level (1 -sided interval) 

0.90 

0.90 

0.90 

0.90 

0.90 

0.90 

0.90 

Corresponding 2-sided interval 

0.95 

0.95 

0.95 

0.95 

0.95 

0.95 

0.95 

Parameter c from T-distribution 

2.35 

2.13 

2.02 

1.94 

1.90 

1.83 

1.73 

Deviation multiplier 

1.18 

0.953 

0.82 

0.73 

0.673 

0.58 

0.39 

Deviation form the sample mean (sample mean normalized to 1) 

0.40 

0.40 

0.40 

0.40 

0.40 

0.40 

0.40 

Lower confidence limit (below sample mean) 

0.53 

0.62 

0.67 

0.71 

0.73 

0.77 

0.85 

Upper confidence limit (above sample mean) 

1.47 

1.38 

1.33 

1.29 

1.27 

1.23 

1.15 

I Case 1 B — 90 percent reliability requirement 

, 20 percent deviation 




Sample size, n (no. of data points) 

4 

5 

6 

7 

8 

10 

20 

Degrees of freedom, n-^ 

3 

4 

5 

6 

7 

9 

19 

Confidence level (1 -sided interval) 

0.90 

0.90 

0.90 

0.90 

0.90 

0.90 

0.90 

Corresponding 2-sided interval 

0.95 

0.95 

0.95 

0.95 

0.95 

0.95 

0.95 

Parameter c from T-distribution 

2.35 

2.13 

2.02 

1.94 

1.90 

1.83 

1.73 

Deviation multiplier 

1.17 

0.95 

0.82 

0.73 

0.67 

0.58 

0.39 

Deviation form the sample mean (sample mean normalized to 1) 

0.20 

0.20 

0.20 

0.20 

0.20 

0.20 

0.20 

Lower confidence limit (below sample mean) 

0.77 

0.81 

0.84 

0.85 

0.86 

0.88 

0.92 

Upper confidence limit (above sample mean) 

1.23 

1.19 

1.16 

1.15 

1.13 

1.11 

1.08 

I Case 2A — 95 percent reliability requirement 

, 40 percent deviation 




Sample size, n (no. of data points) 

4 

5 

6 

7 

8 

10 

20 

Degrees of freedom, n-^ 

3 

4 

5 

6 

7 

9 

19 

Confidence level (1 -sided interval) 

0.95 

0.95 

0.95 

0.95 

0.95 

0.95 

0.95 

Corresponding 2-sided interval 

0.975 

0.975 

0.975 

0.975 

0.975 

0.975 

0.975 

Parameter c from T-distribution 

3.18 

2.78 

2.57 

2.45 

2.37 

2.26 

2.09 

Deviation multiplier 

1.59 

1.24 

1.05 

0.92 

0.84 

0.71 

0.47 

Deviation form the sample mean (sample mean normalized to 1) 

0.40 

0.40 

0.40 

0.40 

0.40 

0.40 

0.40 

Lower confidence limit (below sample mean) 

0.36 

0.50 

0.58 

0.63 

0.67 

0.71 

0.81 

Upper confidence limit (above sample mean) 

1.63 

1.50 

1.42 

1.37 

1.33 

1.29 

1.18 

I Case 2B — 95 percent reliability requirement 

, 20 percent deviation 




Sample size, n (no. of data points) 

4 

5 

6 

7 

8 

10 

20 

Degrees of freedom, n-^ 

3 

4 

5 

6 

7 

9 

19 

Confidence level (1 -sided interval) 

0.95 

0.95 

0.95 

0.95 

0.95 

0.95 

0.95 

Corresponding 2-sided interval 

0.975 

0.975 

0.975 

0.975 

0.975 

0.975 

0.975 

Parameter c from T-distribution 

3.18 

2.78 

2.57 

2.45 

2.37 

2.26 

2.09 

Deviation multiplier 

1.59 

1.24 

1.05 

0.93 

0.84 

0.71 

0.47 

Deviation form the sample mean (sample mean normalized to 1) 

0.20 

0.20 

0.20 

0.20 

0.20 

0.20 

0.20 

Lower confidence limit (below sample mean) 

0.68 

0.75 

0.79 

0.81 

0.83 

0.86 

0.91 

Upper confidence limit (above sample mean) 

1.32 

1.25 

1.21 

1.19 

1.17 

1.14 

1.09 

I Case 3A — 90 percent reliability requirement 

, 40 percent deviation 




Sample size, n (no. of data points) 

4 

5 

6 

7 

8 

10 

20 

Degrees of freedom, n-^ 

3 

4 

5 

6 

7 

9 

19 

Confidence level (1 -sided interval) 

0.99 

0.99 

0.99 

0.99 

0.99 

0.99 

0.99 

Corresponding 2-sided interval 

0.995 

0.995 

0.995 

0.995 

0.995 

0.995 

0.995 

Parameter c from T-distribution 

5.84 

4.60 

4.03 

3.71 

3.50 

3.25 

2.86 

Deviation multiplier 

2.92 

2.06 

1.65 

1.40 

1.24 

1.03 

0.64 

Deviation form the sample mean (sample mean normalized to 1) 

0.40 

0.40 

0.40 

0.40 

0.40 

0.40 

0.40 

Lower confidence limit (below sample mean) 

none 

0.18 

0.34 

0.44 

0.51 

0.59 

0.74 

Upper confidence limit (above sample mean) 

none 

1.82 

1.66 

1.56 

1.49 

1.41 

1.26 

I Case 3B — 99 percent reliability requirement 

, 20 percent deviation 




Sample size, n (no. of data points) 

4 

5 

6 

7 

8 

10 

20 

Degrees of freedom, n-^ 

3 

4 

5 

6 

7 

9 

19 

Confidence level (1 -sided interval) 

0.99 

0.99 

0.99 

0.99 

0.99 

0.99 

0.99 

Corresponding 2-sided interval 

0.995 

0.995 

0.995 

0.995 

0.995 

0.995 

0.995 

Parameter c from T-distribution 

5.84 

4.60 

4.03 

3.71 

3.50 

3.25 

2.86 

Deviation multiplier 

2.92 

2.06 

1.65 

1.40 

1.24 

1.03 

0.64 

Deviation form the sample mean (sample mean normalized to 1) 

0.20 

0.20 

0.20 

0.20 

0.20 

0.20 

0.20 

Lower confidence limit (below sample mean) 

0.42 

0.59 

0.67 

0.72 

0.75 

0.79 

0.87 

Upper confidence limit (above sample mean) 

1.58 

1.41 

1.33 

1.28 

1.25 

1.21 

1.12 
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TABLE 3.— RELIABILITY ESTIMATES BASED ON THE T-DISTRIBUTION 
[Required life test period, normalized to lower confidence limit (LCL).] 


1 Case 1A — 90 percent reliability requirement, 

40 percent deviation 




Number of QA units contemplated 

4 

5 

6 

7 

8 

10 

20 

Anticipated sample deviation, percent 

0.40 

0.40 

0.40 

0.40 

0.40 

0.40 

0.40 

Desired confidence level, percent 

0.90 

0.90 

0.90 

0.90 

0.90 

0.90 

0.90 

Sample mean extends beyond LCL (LCL normalized to 1.0) 

0.88 

0.62 

0.49 

0.42 

0.37 

0.30 

0.18 

Test time required beyond LCL 

1.77 

1.23 

0.98 

0.83 

0.73 

0.60 

0.37 

I Case IB — 90 percent reliability requirement. 

20 percent deviation 




Number of QA units contemplated 

4 

5 

6 

7 

8 

10 

20 

Anticipated sample deviation, percent 

0.20 

0.20 

0.20 

0.20 

0.20 

0.20 

0.20 

Desired confidence level, percent 

0.90 

0.90 

0.90 

0.90 

0.90 

0.90 

0.90 

Sample mean extends beyond LCL (LCL normalized to 1.0) 

0.31 

0.24 

0.20 

0.17 

0.16 

0.13 

0.08 

Test time required beyond LCL 

0.61 

0.47 

0.40 

0.34 

0.31 

0.26 

0.17 

1 Case 2A — 95 percent reliability requirement. 

40 percent deviation 




Number of QA units contemplated 

4 

5 

6 

7 

8 

10 

20 

Anticipated sample deviation, percent 

0.40 

0.40 

0.40 

0.40 

0.40 

0.40 

0.40 

Desired confidence level, percent 

0.95 

0.95 

0.95 

0.95 

0.95 

0.95 

0.95 

Sample mean extends beyond LCL (LCL normalized to 1.0) 

1.75 

0.99 

0.72 

0.59 

0.50 

0.40 

0.23 

Test time required beyond LCL 

3.49 

1.98 

1.45 

1.17 

1.01 

0.80 

0.46 

1 Case 2B — 95 percent reliability requirement. 

20 percent deviation 




Number of QA units contemplated 

4 

5 

6 

7 

8 

10 

20 

Anticipated sample deviation, percent 

0.20 

0.20 

0.20 

0.20 

0.20 

0.20 

0.20 

Desired confidence level, percent 

0.95 

0.95 

0.95 

0.95 

0.95 

0.95 

0.95 

Sample mean extends beyond LCL (LCL normalized to 1.0) 

0.47 

0.33 

0.27 

0.23 

0.20 

0.17 

0.10 

Test time required beyond LCL 

0.93 

0.66 

0.53 

0.45 

0.40 

0.33 

0.21 

1 Case 3A — 99 percent reliability requirement. 

40 percent deviation 




Number of QA units contemplated 

4 

5 

6 

7 

8 

10 

20 

Anticipated sample deviation, percent 

0.40 

0.40 

0.40 

0.40 

0.40 

0.40 

0.40 

Desired confidence level, percent 

0.99 

0.99 

0.99 

0.99 

0.99 

0.99 

0.99 

Sample mean extends beyond LCL (LCL normalized to 1.0) 

void 

4.64 

1.92 

1.27 

0.98 

0.70 

0.34 

Test time required beyond LCL 

void 

9.29 

3.85 

2.55 

1.96 

1.39 

0.69 

1 Case 3B — 99 percent reliability requirement. 

20 percent deviation 




Number of QA units contemplated 

4 

5 

6 

7 

8 

10 

20 

Anticipated sample deviation, percent 

0.20 

0.20 

0.20 

0.20 

0.20 

0.20 

0.20 

Desired confidence level, percent 

0.99 

0.99 

0.99 

0.99 

0.99 

0.99 

0.99 

Sample mean extends beyond LCL (LCL normalized to 1.0) 

1.40 

0.70 

0.49 

0.39 

0.33 

0.26 

0.15 

Test time required beyond LCL 

2.81 

1.40 

0.98 

0.78 

0.66 

0.52 

0.29 


For example, the developer who is trying to demonstrate 
95 percent reliability using only four life tests (40 percent 
deviation) will have to contemplate an Individual unit test 
period two or three times as long as the actual mission 
requirement. For a mission requirement of 10,000 hr, a 
deviation of 40 percent will necessitate a minimum test 
period of 34,900 hr, and 20 percent deviation will require 
19,300 hr. If the number of life tests were doubled from 4 
trials to 8, however, the minimum test period for 
40 percent deviation would drop to 20,100 hr and for 
20 percent deviation It would be 14,000 hr. If the number 
of life tests were raised to 20 trials, the minimum test 
period for 40 percent deviation would drop to 14,600 hr 
and for 20 percent deviation It would be 12,100 hr. 

The developer of those four fictitious units shown in 
Figure 2 would be in full compliance If his customer had 
specified 10000 hr life with a reliability of 95 percent. If 
the customer requirement was for 10000 hr life with a 
reliability of 99 percent, however, the developer would 
not be able to demonstrate compliance unless he could 
show test results that either: 


(a) Result In a higher sample mean and/or 

(b) Produce less deviation from the sample mean, 
and/or 

(c) More data points from more units tested (increase 
sample size n) 

Fortunately the four fictitious data points in Figure 2 
were far enough above the 10000 hr benchmark that 
they could support a 99 percent reliability demonstration. 
Figure 3 shows how the confidence limits may be 
changed by the insertion of two more data points into the 
sample of Figure 2. The new data fall below the previous 
sample mean and do not appreciably change the sample 
variance, yet causes the 99 percent confidence limit to 
cross just above 10000 hr, due to the T-distribution 
being narrowed by increasing the degrees of freedom 
from three to five. Our fictitious developer was fortunate 
that his relatively small sample variance allowed 
compliance to be demonstrated with only two more 
tests. 

It is possible to demonstrate non-compliance also. 
Since sample mean and sample variance generally trace 


N AS A/TM— 2009-215502 6 





Figure 3. — Confidence limits changed with more data. 


back to inherent physical characteristics of the thing 
being tested, it is normally impossible to improve these 
parameters without some sort of technological 
breakthrough (assuming the units under test were 
optimally designed for the life of the mission). If failures 
occur before the lower confidence limit is reached, or 
produce a sample mean that is too low, or a deviation 
that is too wide, no amount of additional testing will bring 
the sampled population up to compliance. 

Implications for the Lunar Energy 
Storage Unit 

Under the current mission scenario (Shackleton 
Crater location) an energy storage unit is expected to 
have a 5 year caiendar iife (wiil operate 1000 hr per year 
for a 5000 hr operating iife) with no repiacement, repair 
or maintenance ailowed. A 10000 hr operating iife, with 
no replacement, repair or maintenance aliowed, was 
specified for other mission iocations. 

Tabie 1 shows the reliabiiity of 4 energy storage 
moduies when they are interconnected in such a way 
that if some individuai units faii the remaining units pick 
up the load. If the outpost is able to survive some 
capacity loss, the ensemble reliability can approach 
100 percent, using individual units of much lower 
reliability. 

Suppose we specify the outpost cannot lose any more 
than 25 percent of its energy storage capacity (three out 


of four units remaining) at a survival probability of 
99.0 percent, not more than 50 percent of its energy 
storage capacity (two out of four units remaining) at 
99.9 percent, and must "never" lose all power capacity 
(survival probability exceeds 99.999 percent). An 
individual unit reliability of at least 95 percent will be 
required. 

Or, we could be more sporting, and specify the 
outpost cannot lose any more than 25 percent of its 
energy storage capacity at a survival probability of 95 
percent, and settle for a reasonable assurance (survival 
probability exceeds 99.99 percent) that power won't be 
completely lost. This still requires an individual unit 
reliability upwards of 90 percent. 

For energy storage units not interconnected with the 
rest of the outpost (i.e., remote location) a reliability 
lower than 99.9 percent may be acceptable provided 
there is a failure mitigation strategy in place that ensures 
astronaut survival. Nevertheless it is reasonable to 
expect reliabilities of 99 percent or better for sake of the 
mission. 

Can 10000 hr life and >90 percent reliability be 
ascribed to the hydrogen oxygen RFC? Not yet. Life and 
reliability of the hydrogen oxygen RFC unit is not yet 
characterized (the unit tests depicted in Figures 2 and 3 
were entirely fictitious). But there is evidence that a 
system incorporating hydrogen oxygen PEM fuel cells 
may be capable of achieving operational lifetimes 
exceeding 10,000 hr. In the late 1990s the NASA 
Johnson Space Center tested an eight cell hydrogen 
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oxygen PEM stack in an effort to evaluate its potential 
durability as a replacement for the Shuttle's alkaline fuel 
cell power plant. The stack demonstrated over 1 1 ,000 hr 
life before the test was arbitrarily terminated (Ref. 5). 
NASAs Next Generation Reusable Launch Vehicle 
(RLV) program carried out durability testing during 2004 
through 2007 on a limited number of hydrogen oxygen 
PEM short (four cell) stacks. Most of the stacks 
demonstrated less than 5000 hr, but one specially 
constructed stack is reported by NASA to have achieved 
over 13,500 hr before the test was terminated (Ref. 6). A 
reliability estimate was made for the RLV primary fuel 
cell power generator based on known MTBFs for its 
ancillary components, and assuming a fuel cell stack 
reliability of 99 percent over its intended 10000 hr 
service life. A reliability of 86 percent was estimated, 
with suggested improvements for increasing reliability to 
91 percent (Ref. 7). 

Actual cell failure data for hydrogen-oxygen PEM fuel 
cells, based on measured degradation rates for identical 
cells which typically ranges from 2 to 6 pV per hour, 
suggests a deviation of about 40 to 45 percent for 
present day state-of-the-art. 

Conclusion 

Hydrogen oxygen PEM fuel cell technology could 
have the potential to meet life and reliability 
requirements associated with the lunar RFC, but this 
potential has not been demonstrated. Because of the 
more stressful internal operating environment inside 
hydrogen-oxygen fuel cells compared to hydrogen-air, 
the emerging life and reliability data from commercial 
hydrogen-air PEM fuel cells does not correlate closely 
enough to hydrogen-oxygen PEM technology to allow 
inferences to be drawn. 

The life and reliability of hydrogen oxygen PEM fuel 
cell units are an "unknown population" statistically. A 
credible characterization of life and reliability will come 
only through testing a sample of that population. Cost 
and time considerations limit the amount of testing that 
can be performed, but statistical analysis allows us to 
positively establish life and reliability from a limited 
number of trials, and to estimate the number of trials and 
length of tests required to demonstrate. 

Given the presently observed lifetime variation 
(40 percent deviation from the mean) for hydrogen 
oxygen PEM fuel cells of identical construction tested 
under uniform conditions, the analysis indicates: 

NASA will need to build and test 10 to 12 identical 
units to positively demonstrate 10000 hr life and 
99 percent individual unit reliability, with life tests for 
these units taking about 3 yr. The number of units under 
test can be reduced by half by approximately doubling 
the test period to 5-1/2 yr. The test period can be 


reduced to 2 yr by doubling the number of units tested to 
20 identical units. 

NASA will need to build and test seven to ten identical 
units to positively demonstrate 10000 hr life and 
95 percent individual unit reliability, and the life tests for 
these units will take about 3 yr. If only 90 percent unit 
reliability is acceptable, NASA may build and test as few 
as four identical units and the life tests for these units 
will take at least 3 yr. This test period may be shortened 
1 yr by increasing the number of identical units from four 
to seven units. 

If more consistency is achieved in fuel cell stack 
construction, to the extent that only 20 percent deviation 
is demonstrated — NASA could positively demonstrate 
10000 hr life and 95 percent individual unit reliability with 
five identical units and less than 2 yr of life tests. If only 
90 percent unit reliability was acceptable, NASA could 
build and test as few as four identical units and the life 
tests for these units would take less than 2 yr. 

The costs associated with the life tests, and the 
development costs leading up to the manufacture of life 
test units, will have to be shouldered by NASA since 
there are no earlier users of this technology. These 
costs and schedule impacts are not presently factored 
into NASAs energy storage development plans. 
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